Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix just 'hangs' after registry backup when it starts the malware scan


  • This topic is locked This topic is locked
9 replies to this topic

#1 devnullius

devnullius

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 27 November 2011 - 01:03 PM

Hello,

Win XP SP3 Pro ENG (With Dutch interface pack).

There were some small 'utilities' installed. Nothing fancy, but I couldn't apply a background image any-more (also see: http://answers.yahoo.com/question/index?qid=20111103095823AAstxSt - Unable to Change Desktop Background After Virus Attack?).

No traces of virii are left any-more, even the background works just fine again. Verified with: Panda Cloud antivirus, Free PC Tools Spyware Doctor, Malware Byte's Anti-Malware, Kaspersky IS 2012, Superantispyware and the logfile of The Avenger Version 2.0 all say the system is clean too!

BUT throughout troubleshooting, Combofix always reacted in the same way on this computer: it will not show any more new messages after the notice that it will start scanning, and that this might take 10 minutes or more.

Hard disk becomes silent, no action there. The XP system will become either very sluggish OR seems to react just fine. BUT starting programs, ending programs, starting task manager - it ALWAYS fails once combofix enters the scanning state... :s

Also, when I start Combofix, it kills explorer with a send error report dialogue.

There are no logs created, but I do have a C:\Combofix (which redirects to My Computer).

Any suggestions for what it is I can do next?

Thank you :)

Peace!

Devvie




~~~ notemail@facebook.com ~~~

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare
——
All spelling mistakes are my own and may only be distributed under the GNU General Public License! – (© 95-1 by Coredump; 2-011 by DevNullius)


PS: of course, chkdsk c: /f /v /x gives clean results. Same for sfc /scannow. TuneUp Utilities 2010 is installed, with registry cleanup. No temp files exist (fcleaner + Cleanup! by Steven Gould).

Edited by hamluis, 27 November 2011 - 01:12 PM.
Moved from XP to AV, Firewall, etc.


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,411 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:10:45 PM

Posted 27 November 2011 - 01:12 PM

Aaahhh...we have a Latin scholar :thumbsup: , I knew that studying it would pay off some day :).

Sorry, but ComboFix is a malware tool...as such, it is not a point of discussion or use in this forum, which is oriented for XP system issues.

ComboFix usage, Questions, Help - Look here - http://www.bleepingcomputer.com/forums/topic273628.html

I will move this to a forum where someone may be able to attempt to assist you.

I will add a note about programs like System Mechanic:

Bleeping Computer DOES NOT recommend the use of registry cleaners/optimizers for several reasons:
  • Registry cleaners are extremely powerful applications that can damage the registry by using aggressive cleaning routines and cause your computer to become unbootable.

    The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system inoperable. For a more detailed explanation, read Understanding The Registry.
  • Not all registry cleaners are created equal. There are a number of them available but they do not all work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad entry". One cleaner may find entries on your system that will not cause problems when removed, another may not find the same entries, and still another may want to remove entries required for a program to work.
  • Not all registry cleaners create a backup of the registry before making changes. If the changes prevent the system from booting up, then there is no backup available to restore it in order to regain functionality. A backup of the registry is essential BEFORE making any changes to the registry.
  • Improperly removing registry entries can hamper malware disinfection and make the removal process more difficult if your computer becomes infected. For example, removing malware related registry entries before the infection is properly identified can contribute to system instability and even make the malware undetectable to removal tools.
  • The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results".

Unless you have a particular problem that requires a registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly could lead to disastrous effects on your operating system such as preventing it from ever starting again. For routine use, the benefits to your computer are negligible while the potential risks are great.
Louis

Edited by hamluis, 27 November 2011 - 01:14 PM.


#3 devnullius

devnullius
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 27 November 2011 - 01:20 PM

Louis, the reg cleaning by TU 2010 is not the problem... It's a proven cleaner - and it actually CAN help and clean up an old Windows system! Never had real problems by using it. And I fix MANY compus... ; )

In general; your warning is valid - but soooo 2000 ; ))

Oh, and no registry cleaning was done during the cleanup-phases. It wasn't run after the malware cleanup. Which wasn't very serious to begin with!

Thank you :)

Devnullius

Edited by devnullius, 27 November 2011 - 01:24 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:45 PM

Posted 27 November 2011 - 03:31 PM

It appears we will need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Include a link back to the newly created log in this topic.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 devnullius

devnullius
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 28 November 2011 - 03:42 PM

D.D.S. seems to be the program that 'hangs' Combofix.

When I run it (Safe mode w Network), all seems to go well up until it has reached appr. 50 #'s (hard to count:).

THEN, hard disk led will stop blinking and starting new programs / shutting down the comp, it all fails.

I also think I might have found the original program that messed all up. I installed 1 warez program (Harddisk Sentinel), and removed it just in case.

I now have a computer that starts very sluggish. Even the start up sound crackles now. If all has started, windows appears to be responding well. But all HD related things seem to be much slower (puran boot-time defrag for ex.).

Without log, nothing to post.

I'm getting curious now... Inspiration much needed : )

Formatting the disk would be horrible - for I have all these nice giveaways that cannot be re-installed any more :/

While troubleshooting, I also removed all antivirus programs (re-installed Superantispyware). All systems say ALL is clean. An active malware process WAS NEVER FOUND. Only registry garbage and some files.

1 more side-note... At logon, I always start a custom cleanup batch file (based on windows disk cleanup). Strange part is, now I have removed HD Sentinel this batch file sometimes is started 4 times... No idea why :|

Feeling noobie, so thank you :)

Peace,

Devnullius

EDIT:
--> I'll add GMER log as requested. But I suspect it to be clean...

--> I'll re-install evaluation version of HD Sentinel. Just in case

--> AV Reports for suspect software
VIRUSTOTAL reports for used warez version of HD Sentinel...

1st, the patch (keygen): http://www.virustotal.com/file-scan/report.html?id=04becb66a7685c8bf5f4bdb4928e10070adff23736e2d6f2498de5b652189cda-1322513991 (considered clean).
2nd, the setup: http://www.virustotal.com/file-scan/report.html?id=54e4fdbeeae728c83b5fcd331811a2ee86372861510f064dff4963f9c073f2c8-1322504153 (100% clean - which is rare;)

--> I've repeated sfc /scannow & chkdsk c: /f /v /x

Edited by devnullius, 28 November 2011 - 04:24 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:45 PM

Posted 28 November 2011 - 04:34 PM

Stop running ComboFix before it kills the PC..
Try using an alternate to DDS
If you cannot get DDS to work, please try this instead.

Please download OTL by OldTimer and save it to your Desktop.
  • Close all other applications and windows so that you have nothing open.
  • Double click on the Posted Image icon on your desktop.

    Vista/Windows 7 users right-click and select Run As Administrator.
    If you receive a UAC prompt asking if you would like to continue running the program, you should press the Continue button.
  • Under Output, ensure that Minimal Output is selected.
  • Click the "Scan All Users" checkbox.
    Leave the remaining selections to the default settings.
  • Click the Posted Image button.
  • Do not use the computer while the scan is in progress.
  • When the scan is complete, two log files will open in Notepad:
    • OTListIt.txt <- (will be maximized)
    • Extras.txt <- (will be minimized in the Task Bar).
  • Both logs are automatically saved to the Desktop.
  • Please copy and paste the contents of OTListIt.txt and Extras.txt in your next reply.
    If the Extras.txt log is too long, you may need to add a second reply to your thread or upload it as an attachment.
  • Click the red X in the upper right corner to exit OTL.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run. If OTL did not work, then reply back here.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 devnullius

devnullius
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 28 November 2011 - 05:57 PM

I put the logs here: http://www.zumodrive.com/share/f48zM2Y0Ym . Unless specified otherwise, I ran OTL in normal mode.

It also includes the GMER log.

I followed the instructions to the letter. Even for the virtual CD drivers. Poweriso never had any problems with Combofix, but I did it any-ways ;) No drivers were found, I believe.

GMER log WITH IAT/EAT and "show all" options enabled - only thing I deviated off ; )

I re-installed official Pro version of Harddisk Sentinel. Did not change anything with boot.

Only other thing I can imagine is the Kaspersky IS 2012... I'll google for an uninstaller / I will re-install / troubleshoot that further.

Much appreciated

(k)

Devvie

Edited by devnullius, 28 November 2011 - 06:44 PM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:45 PM

Posted 28 November 2011 - 09:04 PM

I think AppRemover will do it.

You need to post the logs here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks. (see post 4)
.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 devnullius

devnullius
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 29 November 2011 - 06:25 AM

I removed Kaspersky IS 2012 with it's own uninstall tool. After reboot, it complains about not being able to run a vbs script (with a random name). But I guess all is clean (as it should).

Downloaded uninstaller here: http://support.kaspersky.com/downloads/utils/kavremover.exe

Also, following instructions (Please copy and paste the contents of OTListIt.txt and Extras.txt in your next reply.), I will now also make a new thread, to be found here: http://www.bleepingcomputer.com/forums/topic429834.html

I put all my normal mode & safe mode logs @ http://www.zumodrive.com/share/f48zM2Y0Ym . Above reply also has a selection of these log-files.

Peace! And thank you : )

Devvie

EDIT: I also used AppRemover, which could not find any traces of security software(s)...

Edited by devnullius, 29 November 2011 - 08:21 AM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:45 PM

Posted 29 November 2011 - 10:03 AM

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Response Team member...nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process or make things worst which would extend the time it takes to clean your computer.

From this point on the Malware Response Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.

It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable. If HelpBot replies to your topic, please follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic until you are cleared by the Malware Response Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users